Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN Clients Internet Browsing

I have set up in a lab right now a ASA 5520 with a live internet connection. I have a 2611 haning off the inside interface, and a 2950 switch into which I have an AD server plugged in. I have VPN set up for Cisco VPN client. I can connect up just fine, get an address from the address pool and connect all over the lab. I can not, however get to the internet. If I try to ping or browse, it resolves the name to an address, but times out trying to get there. I can get to the internet from the lab PC's no problem. It's probably something simple I am missing, any help would be great. I am attaching the ASA config. Thanks!

8 REPLIES
Green

Re: VPN Clients Internet Browsing

Since you have already defined nat for the vpn clients, I assume you don't want to split tunnel...

global (Internet) 1 72.X.X.X netmask 255.255.255.255

nat (Internet) 1 0.0.0.0 0.0.0.0

To complete the hairpin, you are missing...

same-security-traffic permit intra-interface

Community Member

Re: VPN Clients Internet Browsing

Yeah, we are trying to avoid split-tunneling. Thanks, I added that but it's still not working.

Green

Re: VPN Clients Internet Browsing

Here's the cisco doc...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml

You should be ok. Check the client, status -> statistics -> route details. Make sure you have 0 0 under secured routes.

Community Member

Re: VPN Clients Internet Browsing

Ok, I will take a look at that thanks. In the meantime, I am attaching my router and switch configs, just incase I missed somethig there, and if I did..I will be embarassed :-)

Lab subnet - 192.168.2.0

VPN Pool - 192.168.200.0

Community Member

Re: VPN Clients Internet Browsing

Ok, I went through that document and still nothing, also I checked the client stats and do have 0 0 under secured routes.

Community Member

Re: VPN Clients Internet Browsing

Anyone else want to take a crack at this? I have rebuilt the whole ASA and here is the cleaned up config, but alas, still no interet for VPN users. When I ping a website, it resolves the name to an IP but times out.

Thanks

Green

Re: VPN Clients Internet Browsing

A few more things to try. Have you considered upgrading from 7.1.2?

Also, this route statement is not correct. Not that this will fix your internet problem however.

route Inside 192.168.0.0 255.255.0.0 192.168.210.1 1

Your vpn pool is part of 192.168.0.0/16 and is not reachable via 192.168.210.1.

This also shouldn't matter but try...

nat (Internet) 1 192.168.200.0 255.255.255.0

Community Member

Re: VPN Clients Internet Browsing

All set..after adding

No nat (Internet) 1 0.0.0.0 0.0.0.0

nat (Internet) 1 192.168.200.0 255.255.255.0

clear xlate

clear local

everything is working now. Thanks for the input!

140
Views
5
Helpful
8
Replies
CreatePlease to create content